Channels

Services

Unpatched hole in Internet Explorer allows code injection

In its security blog, McAffee has reported a vulnerability in Internet Explorer 6 and 7 when running on a fully patched Windows XP SP2. This could allow attackers to inject malicious code into users' systems via specially prepared web pages or emails. Manipulated files for animated cursors (.ani) are said to execute injected arbitrary code on a system completely silently, without causing, for example, a browser crash.

Initially, McAfee researchers discovered a proof of concept file on a message board, and then shortly afterwards the first malicious sample appeared. McAfee identifies it as Exploit-ANIfile.c, Trend Micro as TROJ_ANICMOO.AX. Once the exploit is embedded in the system it will load further malicious software, according to McAfee's description. To date, this exploit has not been widely distributed, but more virus makers are likely to examine the hole and generate new exploits which take advantage of it.

The exploit is particularly malignant because it doesn't even cause a browser to crash. Therefore, users are completely unaware that they have been under attack. McAfee is still examining the vulnerability. So far, neither additional details nor measures to protect browsers have been publicised. It is therefore recommended to access the net with alternative browsers like Opera or Firefox until Microsoft has released a patch. Since McAfee has also identified emails as potential attack vectors, Outlook and Outlook Express users are advised to open HTML emails in text format only.

So far, Microsoft has not confirmed this new vulnerability. It is unclear, however, whether McAfee has informed Microsoft of the hole. A similar security hole was already patched by Microsoft in early 2005.